In the past few weeks lay-offs at several large pentesting companies have been in the news. At Raxis we understand the struggle to find and keep strong talent while balancing that with continuing sales to keep profitable, but it may be more than that.
With the recent announcement of layoffs that we’ve seen in cybersecurity firms, I can’t help but wonder if these bigger companies are missing the target due to their corporate nature and overly broad service offerings.
Raxis CEO, Mark Puckett
We’ve often been tempted to add on to Raxis’ offerings to meet customer’s needs or to join growing markets, but we always come back to a focus on pentesting. From red teams to security reviews, network pentests to application tests, our pentesters are experts in their field and enjoy their work. That’s what keeps them learning (don’t remind them that counts as work and not just fun!) and it’s also what allows us to provide our customers with the highest quality actionable results.
We’ve had many pentesters come to us stating that they no longer want to work for larger operations.
And we get that. I feel the same way, but it feels good to know that the team at Raxis agrees and feels that we’ve built a company where each of us is a key part of the team and feels appreciated. There are no small roles at Raxis, and each of us knows that.
Being small allows us to maintain our strong feeling of camaraderie, despite the limitations of being virtual. We make it a point to get to know each other, have ‘zoom happy-hours,’ and encourage chatting on things outside of work from time to time on Slack.
Being 100% virtual makes for a very short commute and a pleasant work environment, but that’s not what makes Raxis special. Our team is very supportive, not just for work but also because we respect each other and feel a strong connection. If one of us collects Spam containers (you know who you are), the rest of us send photos of odd Spam we find (in the most surprising places). From kid’s birthday parties to cracking a difficult password, our team is there for each other.
We are largely a group of whitehat hackers, making it much easier to attract top talent in our industry.
That’s honestly what makes it so fun to work at Raxis. We’re a group of folks who care about helping companies stay secure. Our job is a lot of fun, but, in the end, we feel good about what we do.
Interesting in joining the team? We’re looking for part-time contractor pentesters now. US citizens residing in the United States can apply on our Careers page.
I’m Andrew Trexler, senior penetration tester at Raxis. As the Raxis team member to earn the Offensive Security Certified Professional (OSCP) designation most recently, I’m sharing my thoughts about the experience. My goals are to provide you with information I found helpful as well as to share some things I wish I had known in advance.
Why take the OSCP?
If you’re serious about being a penetration tester, the OSCP is, for all intents and purposes, the industry standard. As I considered pentesting as a career, I spoke with lots of people who were working in the field already. Consistently, they recommended getting the certificate, which requires taking the Penetration Testing with Kali Linux (PWK) course. I also watched a great YouTube video by John Hammond in which he recommended it.
In truth, the course is useful for any career in cybersecurity, not just pentesting. If you’re working on a blue team, for example, the experience of hacking into a network provides a lot of valuable insights for developing a cyber defense strategy.
Where to Start
As I mentioned, you start officially with the PWK course. Going through it is helpful, and you really do learn a lot. The course includes a manual along with a lab environment. It is self-paced, so you go through it on your own time and schedule the test when you’re ready to take it.
However, there are some things I recommend doing beforehand. If you are new to the pentesting/cybersecurity field I would start with some capture-the-flag (CTF) exercises like those found here. After getting comfortable with CTFs, you might find it helpful to move on to sites like Hack the Box or TryHackMe. Doing these first will help you hit the ground and get running a little faster in the lab environment.
How to Make the Most of Your Coursework
Take lots of notes. While going through the lab, you’ll do many different things – and you’ll do the same things multiple times. Keeping notes on how you got access to each machine during the lab work (yes, with copy/paste commands and explanations) will help during the test. Your notes can give you ideas and help you remember difficult syntax. Also, notes that act as cheat sheets with common commands are especially helpful. (I use Obsidian to take notes in Markdown.)
Further, I recommend spending as much time in the lab as possible. While there is a forum for users, it may sound like the people there are speaking in code. If you struggle, just keep working the problem and learning. If you do get stuck, ask questions in the forum. From my experience everyone is helpful, but they know it’s more important to guide you to an answer than give it to you. Those who answer usually do it in a way that makes you learn the solution on your own, and you’ll thank them for that when you are taking the OSCP exam.
About the Lab
The lab houses more than 70 different computers. Most of these computers contain vulnerable software that can be exploited – and some don’t. The idea is to exploit a vulnerable machine, grab any information it’s storing, and then use it to access a machine that does not have a vulnerability.
Among the vulnerabilities you’ll see in the lab are ones that are well-known and that have been around for years. EternalBlue is one example. Then, there are smaller applications that still have known vulnerabilities, but require a little searching to find the right exploit.
The real challenges are the custom applications that either can be used to gain access or have their own vulnerabilities that require custom exploitation, using anything from XSS to SQLi to LFI/RFI. There are also remote and local exploits to gain access and then escalate privileges.
See a term you don’t recognize? Visit our glossary.
To me, the most interesting part of the lab is the subnet structure. There are different subnets that require access to an initial computer, at which point you can pivot and pass traffic through that computer. This proxying traffic can be the only way to hit and exploit the other machines on the subnet.
How the Test Works
There are five different machines on the test. On each are text files that can be submitted to prove your access. Depending on the difficulty of the machine, these files are worth varying numbers of points. Of 100 available points, you’ll need 70 to pass the exam.
However, to get credit for those points, you have 24 hours to write a report that includes the steps you took to exploit the machine. These must be replicable by a technically competent reader and must contain either the link to the exploit code used or the exploit code if changes were made to it.
During the exam, you are not allowed to use automated exploit tools. Metasploit can only be used once during the test, whether it works or not. Other exploits must be created manually by inputting the correct data or scripts, which may require some trial and error.
What to do Before the Exam
It sounds counterintuitive, but I don’t recommend studying or practicing right up until test time. Instead, try to take the day before the exam to prepare for how you’re going to take it. The exam must be completed in 24 hours, but you can pick an early or late start time. If you’re an early riser, start early. If you like to sleep in, start later. The point is to make sure that you play to your own strengths.
Use your prep to do other helpful things as well. Maybe make sandwiches for the next day or set up the computer you are going to use to take the test. Figuring out things that you can do the day before can and will make things easier come test day.
What to do on Exam Day
The hardest part of the exam is the time management. The attacks to gain access are straightforward once you find them. However, you might have to change things up to get the exploit to work.
Be sure to watch out for rabbit holes. There aren’t many, but being able to recognize them and get out of them quickly is a critical skill. Part of what they are testing is how quickly you figure out when you’re on the wrong path . . . or if you just haven’t gone far enough down the right one.
Also keeping things fresh and not getting frustrated is key. That’s why it’s important to take your time, despite the deadline. I felt pressured by the 24-hour time limit, but it helped a lot to take a five-minute break about once each hour. Walking away from the computer and just re-setting a little bit can bring the burst of inspiration that helps you get to the next step.
Incidentally, time management is a skill that’s even more essential in your career as a pentester. There’s only a certain amount of time allotted for testing, so you can’t get sidetracked chasing dead ends.
Final Thoughts
Remember that this is a professional certification, and many people don’t pass it on their first try. Let that take some of the pressure off. If you don’t pass this time, you always have next time.
And, yes, it’s very hard. But that’s a good thing. If it were easy, everyone could do it and that would rob you of the satisfaction and respect that comes with earning your OSCP.
As founder and CEO, I say that with a great deal of pride – and only one (very important) qualifier.
Raxis is an amazing place to work if you’re the right person for the job.
Over the past several weeks, you’ve heard from our employees about what makes it special to be part of our team.
Throughout this series, they told you what it‘s like to work for Raxis, the skills needed to be a penetration tester, and how communication is key to, not only our success, but also the success of our clients. While I am very proud of what Raxis has done and how good we are at it, I am even more proud of the culture we have created.
At Raxis, we truly believe in fostering a culture of education. We take pride in the learning environment we have created and the continued growth of our people. We encourage our employees to constantly expand on their skills and to share as they go — when one learns, we all learn.
We also believe in giving our employees the freedom to do their job on their own time. With that freedom, the expectation of results is understood. Our fully remote team is made up of people who don’t need constant supervision and instruction. Instead, our team is driven by their commitment to finding results for our customers.
Most importantly, when it comes to fostering the Raxis culture, it comes down to teamwork. Our diverse team is composed of some of the brightest minds in the business all bringing different backgrounds and skillsets. We learn from one another, and by learning and working together, we provide amazing value for our clients.
Now, I’ll let you in on a little secret: What makes it special to me is all of them – the world-class team of professionals we’ve assembled. Their intellect, tech skills, experience, and personalities make each day interesting, exciting, and incredibly rewarding.
Being part of the Raxis team is not an easy job, but it is a fun job. Again, if you’re the right person for it.
Do you have what it takes to be part of our team? Please make sure to watch all the videos in this series. Honestly assess your ability to thrive in an environment where we value accountability far more than control. Where freedom and flexibility bring out our absolute best work. And where we’re as excited about tomorrow’s challenges as today’s victories.
If that sounds like your ideal work environment – and you’ve got the skills to hit the ground running – then let us hear from you.
When it comes to choosing a job, there are so many things to consider – benefits, responsibilities, leadership, and of course pay — to name just a few.
But for many, a company’s culture is near the top of that list. In fact, an Indeed survey found that 72 percent of job seekers say that it is extremely or very important to see details about company culture in job descriptions. The survey also found that 46 percent of job seekers said they would not apply to a job if they did not believe it would be a good culture fit for them. That’s pretty eye opening.
At Raxis, we look for talented people we know will work well with our unique culture. If you think that makes us very selective when hiring, I’d say that’s accurate. But here’s why: We give our employees a great deal of freedom about when and how to get their jobs done. With a fully remote team, we hire people who don’t need constant supervision and instruction. Instead, they are driven by a powerful desire to get results for our customers, and we hold them accountable for doing just that.
Not everyone works well in that type of environment — and that’s okay. There are lots of tech jobs with an abundance of structure and routine. But if you’re the type who thrives outside a rigid environment, and you do your best work independently, check out the video below (and others in the series).
Raxis lead penetration tester Scottie Cole talks about the freedom he has as a Raxis team member and the tremendous responsibility that comes along with it.
We know how important culture is to prospective employees. It’s just that important to Raxis, too. If you’re a talented cybersecurity pro who values flexibility and is committed to results, you’re the kind of person we want to hear from.
For more information, check out our careers page and the rest of our website to see what we offer.
Ask most of us at Raxis what we do, and we’ll tell you we’re penetration testers or ethical hackers or simply that we work for a cybersecurity company. But if you ask what that means – what we really do on a day-to-day basis – you’ll likely get a variety of fun stories about sneaking into buildings, bluffing our way past security guards, using high-tech equipment and special software to hack into networks . . . you know, the usual things.
That’s partly because the field of penetration testing requires us to try many different approaches to breach a customer’s defenses, which means the more skillsets we bring to the job, the better our chances. But it’s also because Raxis is a company where those additional talents are rewarded with opportunities to grow.
In this week’s video, Adam Fernandez explains how his journey at Raxis has taken him from pen tester to his current role as our Lead Developer.
Adam is a great example of the unique talent we have at Raxis and the type of multifaceted professionals we look for to join our team. His professional growth is helping our company grow and in turn opening up new opportunities for all of us.
Are you the kind of person who brings more than one set of skills to the job? Are you looking for a team where flexibility and adaptability are appreciated and rewarded? If so, take a look at the other articles in this series and let us hear from you.
At Raxis, we find communication with our clients is one of the most critical and key components of our service.
Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process.
In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.
It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them.
We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.
By treating customers like partners, we ensure our success is based on your success.
In today’s video, you’ll hear from Lead Penetration Tester Matt Dunn, the newest member of our team, about why he appreciates the learning environment we’ve created and continue to nurture at Raxis.
Matt actually came to Raxis with several certifications under his belt and another now in progress. That proactive quest for knowledge was a good sign that he would be a great fit on our team and was among the reasons we hired him. As it turns out, we were right: Not only has he done excellent work as a penetration tester, Matt has also published his first Metasploit Module. (For the uninitiated, that is a very big deal in the pen testing world.)
To be clear, it is certainly possible to be an outstanding penetration tester without professional certifications. Likewise, I’m sure there are bad testers out there with walls full of them. As with Matt, however, taking the initiative and making the effort suggests that you are willing and able to learn – and that is a key differentiator for both pen testers and the companies that employ them.
Why? Because the threat landscape is constantly evolving, and our knowledge and skills have to keep pace. That means the pros that make up our team have to be smart enough to hit the ground running and humble enough to continue learning once they’re on board.
Listen to Matt describe his experience, and you’ll get an idea of what this means in practice.
At Raxis, we foster a learning environment, not just through research and certification training, but also through open communication among our team members. This group includes people from diverse backgrounds who each bring unique skills to the table. When we hire, we look for individuals who are both willing to share their talents with us and also able to learn from the other accomplished professionals on our team.
Do you thrive in a learning culture? If so, Raxis might just be for you. Be sure to check out our other videos in this series and see if Raxis is the opportunity you’ve been looking for.
Here are some other videos you may find interesting:
As individuals, the members of the Raxis team are among the most talented and accomplished people in the field of information security. They are super-smart high performers who have been or could be successful in many different lines of work. Yet, they have chosen to be a part of Raxis.
Why? For one thing, the job is interesting and rewarding. Knowing that we’re giving business owners and corporate leaders peace of mind and allowing them to focus on their priorities is a very satisfying experience. And it’s hard to beat the sense of accomplishment that comes from solving the ‘puzzles’ that CTO Brian Tant discussed in a previous post.
An even more important benefit, however, is the sense that, as Raxis, we’re part of something bigger than ourselves. That’s because effective teamwork creates a multiplier effect. We get the benefit of more minds working on tough problems and we have opportunities to learn and teach each other as we do.
The diversity of our team means that there’s always someone we can turn to who brings a different background and skillset to bear. As they do, we all gain new perspectives. The beautiful part is that the learning and improvement is continuous in the Raxis environment.
As you might expect, this makes us very protective of our culture and very particular about who we ask to join us. Big talent is welcome. Big egos need not apply. It’s sometimes hard for us to find the right person only because it’s so hard to bethe right person.
Is that person you? Take a look at the video above and hear Brad Herring, our VP of Business Development, explain why teamwork truly is our special sauce. Also, check out our other videos in this series and see if Raxis looks like a good fit.
One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.
That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.
Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.
In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours.
Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork.
Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.
Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.
